Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837.

- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).

CVE-2023-52425-libexpat-2.6.0-backport.patch

@@ -6,9 +6,11 @@
  Lib/test/test_xml_etree.py   |   12 ------------
  5 files changed, 37 insertions(+), 44 deletions(-)
 
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -8,6 +8,7 @@ import dataclasses
+Index: Python-3.11.14/Lib/test/support/__init__.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/support/__init__.py	2025-11-15 19:15:08.449938538 +0100
++++ Python-3.11.14/Lib/test/support/__init__.py	2025-11-15 19:15:12.859120260 +0100
+@@ -8,6 +8,7 @@
  import functools
  import os
  import re
@@ -16,7 +18,7 @@
  import stat
  import sys
  import sysconfig
-@@ -56,7 +57,7 @@ __all__ = [
+@@ -56,7 +57,7 @@
      "run_with_tz", "PGO", "missing_compiler_executable",
      "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
      "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
@@ -25,7 +27,7 @@
      ]
  
  
-@@ -2240,6 +2241,17 @@ def copy_python_src_ignore(path, names):
+@@ -2279,6 +2280,17 @@
          }
      return ignored
  
@@ -44,9 +46,11 @@
 +fails_with_expat_2_6_0 = (unittest.expectedFailure
 +                          if is_expat_2_6_0
 +                          else lambda test: test)
---- a/Lib/test/test_minidom.py
-+++ b/Lib/test/test_minidom.py
-@@ -6,7 +6,6 @@ import io
+Index: Python-3.11.14/Lib/test/test_minidom.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_minidom.py	2025-11-15 19:14:53.915952608 +0100
++++ Python-3.11.14/Lib/test/test_minidom.py	2025-11-15 19:15:12.859877278 +0100
+@@ -6,7 +6,6 @@
  from test import support
  import unittest
  
@@ -54,7 +58,7 @@
  import xml.dom.minidom
  
  from xml.dom.minidom import parse, Attr, Node, Document, parseString
-@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase):
+@@ -1163,13 +1162,11 @@
  
          # Verify that character decoding errors raise exceptions instead
          # of crashing
@@ -73,7 +77,7 @@
                  b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
  
          doc.unlink()
-@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase):
+@@ -1631,12 +1628,10 @@
          self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
  
      def testExceptionOnSpacesInXMLNSValue(self):
@@ -90,9 +94,11 @@
              parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
  
      def testDocRemoveChild(self):
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -14,8 +14,7 @@ from test.support import os_helper
+Index: Python-3.11.14/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_pyexpat.py	2025-11-15 19:14:53.915952608 +0100
++++ Python-3.11.14/Lib/test/test_pyexpat.py	2025-11-15 19:15:12.860334045 +0100
+@@ -14,8 +14,7 @@
  from xml.parsers import expat
  from xml.parsers.expat import errors
  
@@ -102,7 +108,7 @@
  
  class SetAttributeTest(unittest.TestCase):
      def setUp(self):
-@@ -770,9 +769,8 @@ class ReparseDeferralTest(unittest.TestC
+@@ -806,9 +805,8 @@
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
      def test_reparse_deferral_enabled(self):
@@ -114,7 +120,7 @@
  
          started = []
  
-@@ -801,9 +799,9 @@ class ReparseDeferralTest(unittest.TestC
+@@ -837,9 +835,9 @@
  
          parser = expat.ParserCreate()
          parser.StartElementHandler = start_element
@@ -126,9 +132,11 @@
  
          for chunk in (b'<doc', b'/>'):
              parser.Parse(chunk, False)
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -19,13 +19,11 @@ from xml.sax.xmlreader import InputSourc
+Index: Python-3.11.14/Lib/test/test_sax.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_sax.py	2025-11-15 19:14:53.915952608 +0100
++++ Python-3.11.14/Lib/test/test_sax.py	2025-11-15 19:15:12.860746114 +0100
+@@ -19,13 +19,11 @@
  from io import BytesIO, StringIO
  import codecs
  import os.path
@@ -143,7 +151,7 @@
  from test.support.os_helper import FakePath, TESTFN
  
  
-@@ -1215,10 +1213,10 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1215,10 +1213,10 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -157,7 +165,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1241,6 +1239,9 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1241,6 +1239,9 @@
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
      def test_flush_reparse_deferral_disabled(self):
@@ -167,7 +175,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1249,9 +1250,8 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1249,9 +1250,8 @@
          for chunk in ("<doc", ">"):
              parser.feed(chunk)
  
@@ -179,9 +187,11 @@
  
          self.assertFalse(parser._parser.GetReparseDeferralEnabled())
  
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -13,7 +13,6 @@ import itertools
+Index: Python-3.11.14/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_xml_etree.py	2025-11-15 19:14:53.915952608 +0100
++++ Python-3.11.14/Lib/test/test_xml_etree.py	2025-11-15 19:15:12.861491049 +0100
+@@ -13,7 +13,6 @@
  import operator
  import os
  import pickle
@@ -189,7 +199,7 @@
  import sys
  import textwrap
  import types
-@@ -1424,12 +1423,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1424,12 +1423,6 @@
          self.assert_event_tags(parser, [('end', 'root')])
          self.assertIsNone(parser.close())
  
@@ -202,7 +212,7 @@
      def test_simple_xml_chunk_22(self):
          self.test_simple_xml(chunk_size=22)
  
-@@ -1627,9 +1620,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1627,9 +1620,6 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -212,7 +222,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1656,8 +1646,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1656,8 +1646,6 @@
  
          for chunk in ("<doc", ">"):
              parser.feed(chunk)

CVE-2023-52425-remove-reparse_deferral-tests.patch

@@ -4,9 +4,11 @@
  Lib/test/test_xml_etree.py |    2 ++
  3 files changed, 6 insertions(+)
 
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
+Index: Python-3.11.14/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_pyexpat.py	2025-11-15 19:15:12.860334045 +0100
++++ Python-3.11.14/Lib/test/test_pyexpat.py	2025-11-15 19:15:15.541090355 +0100
+@@ -804,6 +804,7 @@
          parser.SetReparseDeferralEnabled(True)
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
@@ -14,7 +16,7 @@
      def test_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
+@@ -827,6 +828,7 @@
  
          self.assertEqual(started, ['doc'])
  
@@ -22,9 +24,11 @@
      def test_reparse_deferral_disabled(self):
          started = []
  
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
+Index: Python-3.11.14/Lib/test/test_sax.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_sax.py	2025-11-15 19:15:12.860746114 +0100
++++ Python-3.11.14/Lib/test/test_sax.py	2025-11-15 19:15:15.541608234 +0100
+@@ -1213,6 +1213,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -32,7 +36,7 @@
      def test_flush_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1238,6 +1239,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
@@ -40,9 +44,11 @@
      def test_flush_reparse_deferral_disabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
+Index: Python-3.11.14/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_xml_etree.py	2025-11-15 19:15:12.861491049 +0100
++++ Python-3.11.14/Lib/test/test_xml_etree.py	2025-11-15 19:15:15.542327817 +0100
+@@ -1620,6 +1620,7 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -50,7 +56,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1641,6 +1642,7 @@
  
          self.assert_event_tags(parser, [('end', 'doc')])
  

CVE-2025-12084-minidom-quad-search.patch

@@ -0,0 +1,93 @@
+From b95c10349956d95e258553def0fcc52ea3ef8f82 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Wed, 3 Dec 2025 01:16:37 -0600
+Subject: [PATCH] gh-142145: Remove quadratic behavior in node ID cache
+ clearing (GH-142146)
+
+* Remove quadratic behavior in node ID cache clearing
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+
+* Add news fragment
+
+---------
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+---
+ Lib/test/test_minidom.py                                                 |   18 ++++++++++
+ Lib/xml/dom/minidom.py                                                   |    9 -----
+ Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |    1 
+ 3 files changed, 20 insertions(+), 8 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+Index: Python-3.11.14/Lib/test/test_minidom.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_minidom.py	2025-12-19 22:55:59.547417036 +0100
++++ Python-3.11.14/Lib/test/test_minidom.py	2025-12-19 22:56:07.607956864 +0100
+@@ -2,6 +2,7 @@
+ 
+ import copy
+ import pickle
++import time
+ import io
+ from test import support
+ import unittest
+@@ -176,6 +177,23 @@
+         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+         dom.unlink()
+ 
++    def testAppendChildNoQuadraticComplexity(self):
++        impl = getDOMImplementation()
++
++        newdoc = impl.createDocument(None, "some_tag", None)
++        top_element = newdoc.documentElement
++        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
++        element = top_element
++
++        start = time.time()
++        for child in children:
++            element.appendChild(child)
++            element = child
++        end = time.time()
++
++        # This example used to take at least 30 seconds.
++        self.assertLess(end - start, 1)
++
+     def testAppendChildFragment(self):
+         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+         dom.documentElement.appendChild(frag)
+Index: Python-3.11.14/Lib/xml/dom/minidom.py
+===================================================================
+--- Python-3.11.14.orig/Lib/xml/dom/minidom.py	2025-10-09 18:16:55.000000000 +0200
++++ Python-3.11.14/Lib/xml/dom/minidom.py	2025-12-19 22:56:07.608359083 +0100
+@@ -292,13 +292,6 @@
+     childNodes.append(node)
+     node.parentNode = self
+ 
+-def _in_document(node):
+-    # return True iff node is part of a document tree
+-    while node is not None:
+-        if node.nodeType == Node.DOCUMENT_NODE:
+-            return True
+-        node = node.parentNode
+-    return False
+ 
+ def _write_data(writer, data):
+     "Writes datachars to writer."
+@@ -1539,7 +1532,7 @@
+     if node.nodeType == Node.DOCUMENT_NODE:
+         node._id_cache.clear()
+         node._id_search_stack = None
+-    elif _in_document(node):
++    elif node.ownerDocument:
+         node.ownerDocument._id_cache.clear()
+         node.ownerDocument._id_search_stack= None
+ 
+Index: Python-3.11.14/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.14/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst	2025-12-19 22:56:07.608664851 +0100
+@@ -0,0 +1 @@
++Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.

CVE-2025-13836-http-resp-cont-len.patch

@@ -0,0 +1,155 @@
+From 4f2bc24b750a82d3b439f174e7717fc09820bfeb Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Mon, 1 Dec 2025 17:26:07 +0200
+Subject: [PATCH] gh-119451: Fix a potential denial of service in http.client
+ (GH-119454)
+
+Reading the whole body of the HTTP response could cause OOM if
+the Content-Length value is too large even if the server does not send
+a large amount of data. Now the HTTP client reads large data by chunks,
+therefore the amount of consumed memory is proportional to the amount
+of sent data.
+(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/http/client.py                            | 28 ++++++--
+ Lib/test/test_httplib.py                      | 66 +++++++++++++++++++
+ ...-05-23-11-47-48.gh-issue-119451.qkJe9-.rst |  5 ++
+ 3 files changed, 95 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 91ee1b470cfd47..c977612732afbc 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -111,6 +111,11 @@
+ _MAXLINE = 65536
+ _MAXHEADERS = 100
+ 
++# Data larger than this will be read in chunks, to prevent extreme
++# overallocation.
++_MIN_READ_BUF_SIZE = 1 << 20
++
++
+ # Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
+ #
+ # VCHAR          = %x21-7E
+@@ -635,10 +640,25 @@ def _safe_read(self, amt):
+         reading. If the bytes are truly not available (due to EOF), then the
+         IncompleteRead exception can be used to detect the problem.
+         """
+-        data = self.fp.read(amt)
+-        if len(data) < amt:
+-            raise IncompleteRead(data, amt-len(data))
+-        return data
++        cursize = min(amt, _MIN_READ_BUF_SIZE)
++        data = self.fp.read(cursize)
++        if len(data) >= amt:
++            return data
++        if len(data) < cursize:
++            raise IncompleteRead(data, amt - len(data))
++
++        data = io.BytesIO(data)
++        data.seek(0, 2)
++        while True:
++            # This is a geometric increase in read size (never more than
++            # doubling out the current length of data per loop iteration).
++            delta = min(cursize, amt - cursize)
++            data.write(self.fp.read(delta))
++            if data.tell() >= amt:
++                return data.getvalue()
++            cursize += delta
++            if data.tell() < cursize:
++                raise IncompleteRead(data.getvalue(), amt - data.tell())
+ 
+     def _safe_readinto(self, b):
+         """Same as _safe_read, but for reading into a buffer."""
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index 8b9d49ec094813..55363413b3b140 100644
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -1390,6 +1390,72 @@ def run_server():
+         thread.join()
+         self.assertEqual(result, b"proxied data\n")
+ 
++    def test_large_content_length(self):
++        serv = socket.create_server((HOST, 0))
++        self.addCleanup(serv.close)
++
++        def run_server():
++            [conn, address] = serv.accept()
++            with conn:
++                while conn.recv(1024):
++                    conn.sendall(
++                        b"HTTP/1.1 200 Ok\r\n"
++                        b"Content-Length: %d\r\n"
++                        b"\r\n" % size)
++                    conn.sendall(b'A' * (size//3))
++                    conn.sendall(b'B' * (size - size//3))
++
++        thread = threading.Thread(target=run_server)
++        thread.start()
++        self.addCleanup(thread.join, 1.0)
++
++        conn = client.HTTPConnection(*serv.getsockname())
++        try:
++            for w in range(15, 27):
++                size = 1 << w
++                conn.request("GET", "/")
++                with conn.getresponse() as response:
++                    self.assertEqual(len(response.read()), size)
++        finally:
++            conn.close()
++            thread.join(1.0)
++
++    def test_large_content_length_truncated(self):
++        serv = socket.create_server((HOST, 0))
++        self.addCleanup(serv.close)
++
++        def run_server():
++            while True:
++                [conn, address] = serv.accept()
++                with conn:
++                    conn.recv(1024)
++                    if not size:
++                        break
++                    conn.sendall(
++                        b"HTTP/1.1 200 Ok\r\n"
++                        b"Content-Length: %d\r\n"
++                        b"\r\n"
++                        b"Text" % size)
++
++        thread = threading.Thread(target=run_server)
++        thread.start()
++        self.addCleanup(thread.join, 1.0)
++
++        conn = client.HTTPConnection(*serv.getsockname())
++        try:
++            for w in range(18, 65):
++                size = 1 << w
++                conn.request("GET", "/")
++                with conn.getresponse() as response:
++                    self.assertRaises(client.IncompleteRead, response.read)
++                conn.close()
++        finally:
++            conn.close()
++            size = 0
++            conn.request("GET", "/")
++            conn.close()
++            thread.join(1.0)
++
+     def test_putrequest_override_domain_validation(self):
+         """
+         It should be possible to override the default validation
+diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+new file mode 100644
+index 00000000000000..6d6f25cd2f8bf7
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+@@ -0,0 +1,5 @@
++Fix a potential memory denial of service in the :mod:`http.client` module.
++When connecting to a malicious server, it could cause
++an arbitrary amount of memory to be allocated.
++This could have led to symptoms including a :exc:`MemoryError`, swapping, out
++of memory (OOM) killed processes or containers, or even system crashes.

CVE-2025-13837-plistlib-mailicious-length.patch

@@ -0,0 +1,160 @@
+From aa9edbb11a2bf7805fd5046cdd5c2d3864aa39f2 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Mon, 1 Dec 2025 17:28:15 +0200
+Subject: [PATCH] [3.11] gh-119342: Fix a potential denial of service in
+ plistlib (GH-119343)
+
+Reading a specially prepared small Plist file could cause OOM because file's
+read(n) preallocates a bytes object for reading the specified amount of
+data. Now plistlib reads large data by chunks, therefore the upper limit of
+consumed memory is proportional to the size of the input file.
+(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/plistlib.py                               | 31 ++++++++++------
+ Lib/test/test_plistlib.py                     | 37 +++++++++++++++++--
+ ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst |  5 +++
+ 3 files changed, 59 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+
+diff --git a/Lib/plistlib.py b/Lib/plistlib.py
+index 53e718f063b3ec..63fefbd5f6d499 100644
+--- a/Lib/plistlib.py
++++ b/Lib/plistlib.py
+@@ -73,6 +73,9 @@
+ PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
+ globals().update(PlistFormat.__members__)
+ 
++# Data larger than this will be read in chunks, to prevent extreme
++# overallocation.
++_MIN_READ_BUF_SIZE = 1 << 20
+ 
+ class UID:
+     def __init__(self, data):
+@@ -499,12 +502,24 @@ def _get_size(self, tokenL):
+ 
+         return tokenL
+ 
++    def _read(self, size):
++        cursize = min(size, _MIN_READ_BUF_SIZE)
++        data = self._fp.read(cursize)
++        while True:
++            if len(data) != cursize:
++                raise InvalidFileException
++            if cursize == size:
++                return data
++            delta = min(cursize, size - cursize)
++            data += self._fp.read(delta)
++            cursize += delta
++
+     def _read_ints(self, n, size):
+-        data = self._fp.read(size * n)
++        data = self._read(size * n)
+         if size in _BINARY_FORMAT:
+             return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
+         else:
+-            if not size or len(data) != size * n:
++            if not size:
+                 raise InvalidFileException()
+             return tuple(int.from_bytes(data[i: i + size], 'big')
+                          for i in range(0, size * n, size))
+@@ -561,22 +576,16 @@ def _read_object(self, ref):
+ 
+         elif tokenH == 0x40:  # data
+             s = self._get_size(tokenL)
+-            result = self._fp.read(s)
+-            if len(result) != s:
+-                raise InvalidFileException()
++            result = self._read(s)
+ 
+         elif tokenH == 0x50:  # ascii string
+             s = self._get_size(tokenL)
+-            data = self._fp.read(s)
+-            if len(data) != s:
+-                raise InvalidFileException()
++            data = self._read(s)
+             result = data.decode('ascii')
+ 
+         elif tokenH == 0x60:  # unicode string
+             s = self._get_size(tokenL) * 2
+-            data = self._fp.read(s)
+-            if len(data) != s:
+-                raise InvalidFileException()
++            data = self._read(s)
+             result = data.decode('utf-16be')
+ 
+         elif tokenH == 0x80:  # UID
+diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
+index 95b7a649774dca..2bc64afdbe932f 100644
+--- a/Lib/test/test_plistlib.py
++++ b/Lib/test/test_plistlib.py
+@@ -841,8 +841,7 @@ def test_xml_plist_with_entity_decl(self):
+ 
+ class TestBinaryPlistlib(unittest.TestCase):
+ 
+-    @staticmethod
+-    def decode(*objects, offset_size=1, ref_size=1):
++    def build(self, *objects, offset_size=1, ref_size=1):
+         data = [b'bplist00']
+         offset = 8
+         offsets = []
+@@ -854,7 +853,11 @@ def decode(*objects, offset_size=1, ref_size=1):
+                            len(objects), 0, offset)
+         data.extend(offsets)
+         data.append(tail)
+-        return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
++        return b''.join(data)
++
++    def decode(self, *objects, offset_size=1, ref_size=1):
++        data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
++        return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
+ 
+     def test_nonstandard_refs_size(self):
+         # Issue #21538: Refs and offsets are 24-bit integers
+@@ -963,6 +966,34 @@ def test_invalid_binary(self):
+                 with self.assertRaises(plistlib.InvalidFileException):
+                     plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
+ 
++    def test_truncated_large_data(self):
++        self.addCleanup(os_helper.unlink, os_helper.TESTFN)
++        def check(data):
++            with open(os_helper.TESTFN, 'wb') as f:
++                f.write(data)
++            # buffered file
++            with open(os_helper.TESTFN, 'rb') as f:
++                with self.assertRaises(plistlib.InvalidFileException):
++                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
++            # unbuffered file
++            with open(os_helper.TESTFN, 'rb', buffering=0) as f:
++                with self.assertRaises(plistlib.InvalidFileException):
++                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
++        for w in range(20, 64):
++            s = 1 << w
++            # data
++            check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
++            # ascii string
++            check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
++            # unicode string
++            check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
++            # array
++            check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
++            # dict
++            check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
++            # number of objects
++            check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
++
+ 
+ class TestKeyedArchive(unittest.TestCase):
+     def test_keyed_archive_data(self):
+diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+new file mode 100644
+index 00000000000000..04fd8faca4cf7e
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+@@ -0,0 +1,5 @@
++Fix a potential memory denial of service in the :mod:`plistlib` module.
++When reading a Plist file received from untrusted source, it could cause
++an arbitrary amount of memory to be allocated.
++This could have led to symptoms including a :exc:`MemoryError`, swapping, out
++of memory (OOM) killed processes or containers, or even system crashes.

CVE-2025-6075-expandvars-perf-degrad.patch

@@ -0,0 +1,359 @@
+From e717839989908ecea9c1c8f3bd17ec9fb1ac8963 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 31 Oct 2025 15:49:51 +0200
+Subject: [PATCH] [3.11] gh-136065: Fix quadratic complexity in
+ os.path.expandvars() (GH-134952) (cherry picked from commit
+ f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Co-authored-by: Łukasz Langa <lukasz@langa.pl>
+---
+ Lib/ntpath.py                                                            |  126 +++-------
+ Lib/posixpath.py                                                         |   43 +--
+ Lib/test/test_genericpath.py                                             |   14 +
+ Lib/test/test_ntpath.py                                                  |   22 +
+ Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst |    1 
+ 5 files changed, 94 insertions(+), 112 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+
+Index: Python-3.11.14/Lib/ntpath.py
+===================================================================
+--- Python-3.11.14.orig/Lib/ntpath.py	2025-11-15 19:14:27.424009612 +0100
++++ Python-3.11.14/Lib/ntpath.py	2025-11-15 19:14:41.389069009 +0100
+@@ -378,17 +378,23 @@
+ # XXX With COMMAND.COM you can use any characters in a variable name,
+ # XXX except '^|<>='.
+ 
++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
++_varsub = None
++_varsubb = None
++
+ def expandvars(path):
+     """Expand shell variables of the forms $var, ${var} and %var%.
+ 
+     Unknown variables are left unchanged."""
+     path = os.fspath(path)
++    global _varsub, _varsubb
+     if isinstance(path, bytes):
+         if b'$' not in path and b'%' not in path:
+             return path
+-        import string
+-        varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
+-        quote = b'\''
++        if not _varsubb:
++            import re
++            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++        sub = _varsubb
+         percent = b'%'
+         brace = b'{'
+         rbrace = b'}'
+@@ -397,94 +403,44 @@
+     else:
+         if '$' not in path and '%' not in path:
+             return path
+-        import string
+-        varchars = string.ascii_letters + string.digits + '_-'
+-        quote = '\''
++        if not _varsub:
++            import re
++            _varsub = re.compile(_varpattern, re.ASCII).sub
++        sub = _varsub
+         percent = '%'
+         brace = '{'
+         rbrace = '}'
+         dollar = '$'
+         environ = os.environ
+-    res = path[:0]
+-    index = 0
+-    pathlen = len(path)
+-    while index < pathlen:
+-        c = path[index:index+1]
+-        if c == quote:   # no expansion within single quotes
+-            path = path[index + 1:]
+-            pathlen = len(path)
+-            try:
+-                index = path.index(c)
+-                res += c + path[:index + 1]
+-            except ValueError:
+-                res += c + path
+-                index = pathlen - 1
+-        elif c == percent:  # variable or '%'
+-            if path[index + 1:index + 2] == percent:
+-                res += c
+-                index += 1
+-            else:
+-                path = path[index+1:]
+-                pathlen = len(path)
+-                try:
+-                    index = path.index(percent)
+-                except ValueError:
+-                    res += percent + path
+-                    index = pathlen - 1
+-                else:
+-                    var = path[:index]
+-                    try:
+-                        if environ is None:
+-                            value = os.fsencode(os.environ[os.fsdecode(var)])
+-                        else:
+-                            value = environ[var]
+-                    except KeyError:
+-                        value = percent + var + percent
+-                    res += value
+-        elif c == dollar:  # variable or '$$'
+-            if path[index + 1:index + 2] == dollar:
+-                res += c
+-                index += 1
+-            elif path[index + 1:index + 2] == brace:
+-                path = path[index+2:]
+-                pathlen = len(path)
+-                try:
+-                    index = path.index(rbrace)
+-                except ValueError:
+-                    res += dollar + brace + path
+-                    index = pathlen - 1
+-                else:
+-                    var = path[:index]
+-                    try:
+-                        if environ is None:
+-                            value = os.fsencode(os.environ[os.fsdecode(var)])
+-                        else:
+-                            value = environ[var]
+-                    except KeyError:
+-                        value = dollar + brace + var + rbrace
+-                    res += value
+-            else:
+-                var = path[:0]
+-                index += 1
+-                c = path[index:index + 1]
+-                while c and c in varchars:
+-                    var += c
+-                    index += 1
+-                    c = path[index:index + 1]
+-                try:
+-                    if environ is None:
+-                        value = os.fsencode(os.environ[os.fsdecode(var)])
+-                    else:
+-                        value = environ[var]
+-                except KeyError:
+-                    value = dollar + var
+-                res += value
+-                if c:
+-                    index -= 1
++
++    def repl(m):
++        lastindex = m.lastindex
++        if lastindex is None:
++            return m[0]
++        name = m[lastindex]
++        if lastindex == 1:
++            if name == percent:
++                return name
++            if not name.endswith(percent):
++                return m[0]
++            name = name[:-1]
+         else:
+-            res += c
+-        index += 1
+-    return res
++            if name == dollar:
++                return name
++            if name.startswith(brace):
++                if not name.endswith(rbrace):
++                    return m[0]
++                name = name[1:-1]
++
++        try:
++            if environ is None:
++                return os.fsencode(os.environ[os.fsdecode(name)])
++            else:
++                return environ[name]
++        except KeyError:
++            return m[0]
++
++    return sub(repl, path)
+ 
+ 
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
+Index: Python-3.11.14/Lib/posixpath.py
+===================================================================
+--- Python-3.11.14.orig/Lib/posixpath.py	2025-11-15 19:14:27.465471369 +0100
++++ Python-3.11.14/Lib/posixpath.py	2025-11-15 19:14:41.389334199 +0100
+@@ -287,42 +287,41 @@
+ # This expands the forms $variable and ${variable} only.
+ # Non-existent variables are left unchanged.
+ 
+-_varprog = None
+-_varprogb = None
++_varpattern = r'\$(\w+|\{[^}]*\}?)'
++_varsub = None
++_varsubb = None
+ 
+ def expandvars(path):
+     """Expand shell variables of form $var and ${var}.  Unknown variables
+     are left unchanged."""
+     path = os.fspath(path)
+-    global _varprog, _varprogb
++    global _varsub, _varsubb
+     if isinstance(path, bytes):
+         if b'$' not in path:
+             return path
+-        if not _varprogb:
++        if not _varsubb:
+             import re
+-            _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
+-        search = _varprogb.search
++            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++        sub = _varsubb
+         start = b'{'
+         end = b'}'
+         environ = getattr(os, 'environb', None)
+     else:
+         if '$' not in path:
+             return path
+-        if not _varprog:
++        if not _varsub:
+             import re
+-            _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
+-        search = _varprog.search
++            _varsub = re.compile(_varpattern, re.ASCII).sub
++        sub = _varsub
+         start = '{'
+         end = '}'
+         environ = os.environ
+-    i = 0
+-    while True:
+-        m = search(path, i)
+-        if not m:
+-            break
+-        i, j = m.span(0)
+-        name = m.group(1)
+-        if name.startswith(start) and name.endswith(end):
++
++    def repl(m):
++        name = m[1]
++        if name.startswith(start):
++            if not name.endswith(end):
++                return m[0]
+             name = name[1:-1]
+         try:
+             if environ is None:
+@@ -330,13 +329,11 @@
+             else:
+                 value = environ[name]
+         except KeyError:
+-            i = j
++            return m[0]
+         else:
+-            tail = path[j:]
+-            path = path[:i] + value
+-            i = len(path)
+-            path += tail
+-    return path
++            return value
++
++    return sub(repl, path)
+ 
+ 
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
+Index: Python-3.11.14/Lib/test/test_genericpath.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_genericpath.py	2025-11-15 19:14:28.470950071 +0100
++++ Python-3.11.14/Lib/test/test_genericpath.py	2025-11-15 19:14:41.389533528 +0100
+@@ -7,6 +7,7 @@
+ import sys
+ import unittest
+ import warnings
++from test import support
+ from test.support import is_emscripten
+ from test.support import os_helper
+ from test.support import warnings_helper
+@@ -434,6 +435,19 @@
+                   os.fsencode('$bar%s bar' % nonascii))
+             check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
+ 
++    @support.requires_resource('cpu')
++    def test_expandvars_large(self):
++        expandvars = self.pathmodule.expandvars
++        with os_helper.EnvironmentVarGuard() as env:
++            env.clear()
++            env["A"] = "B"
++            n = 100_000
++            self.assertEqual(expandvars('$A'*n), 'B'*n)
++            self.assertEqual(expandvars('${A}'*n), 'B'*n)
++            self.assertEqual(expandvars('$A!'*n), 'B!'*n)
++            self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
++            self.assertEqual(expandvars('${'*10*n), '${'*10*n)
++
+     def test_abspath(self):
+         self.assertIn("foo", self.pathmodule.abspath("foo"))
+         with warnings.catch_warnings():
+Index: Python-3.11.14/Lib/test/test_ntpath.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_ntpath.py	2025-11-15 19:14:29.042372971 +0100
++++ Python-3.11.14/Lib/test/test_ntpath.py	2025-11-15 19:14:41.389799697 +0100
+@@ -6,8 +6,8 @@
+ import unittest
+ import warnings
+ from ntpath import ALLOW_MISSING
+-from test.support import os_helper
+-from test.support import TestFailed, is_emscripten
++from test import support
++from test.support import os_helper, is_emscripten
+ from test.support.os_helper import FakePath
+ from test import test_genericpath
+ from tempfile import TemporaryFile
+@@ -57,7 +57,7 @@
+     fn = fn.replace("\\", "\\\\")
+     gotResult = eval(fn)
+     if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
+-        raise TestFailed("%s should return: %s but returned: %s" \
++        raise support.TestFailed("%s should return: %s but returned: %s" \
+               %(str(fn), str(wantResult), str(gotResult)))
+ 
+     # then with bytes
+@@ -73,7 +73,7 @@
+         warnings.simplefilter("ignore", DeprecationWarning)
+         gotResult = eval(fn)
+     if _norm(wantResult) != _norm(gotResult):
+-        raise TestFailed("%s should return: %s but returned: %s" \
++        raise support.TestFailed("%s should return: %s but returned: %s" \
+               %(str(fn), str(wantResult), repr(gotResult)))
+ 
+ 
+@@ -820,6 +820,19 @@
+             check('%spam%bar', '%sbar' % nonascii)
+             check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
+ 
++    @support.requires_resource('cpu')
++    def test_expandvars_large(self):
++        expandvars = ntpath.expandvars
++        with os_helper.EnvironmentVarGuard() as env:
++            env.clear()
++            env["A"] = "B"
++            n = 100_000
++            self.assertEqual(expandvars('%A%'*n), 'B'*n)
++            self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
++            self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
++            self.assertEqual(expandvars("%%"*n), "%"*n)
++            self.assertEqual(expandvars("$$"*n), "$"*n)
++
+     def test_expanduser(self):
+         tester('ntpath.expanduser("test")', 'test')
+ 
+@@ -1090,6 +1103,7 @@
+             self.assertIsInstance(b_final_path, bytes)
+             self.assertGreater(len(b_final_path), 0)
+ 
++
+ class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase):
+     pathmodule = ntpath
+     attributes = ['relpath']
+Index: Python-3.11.14/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.14/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst	2025-11-15 19:14:41.390091148 +0100
+@@ -0,0 +1 @@
++Fix quadratic complexity in :func:`os.path.expandvars`.

Python-3.11.10.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmbbrO0ACgkQ/+h0BBaL
-2Ec+YBAAnQJLKYPjj7Yr7xkFU655Sv86JxeRAdWjnIapbiIuWg3Up8Pd8FTRgHGf
-3XdTHw7b03lSjtzJwavzdnDklqAlBIGn9dVieljUIN7NYyNxoYOr/AiatimgSwv7
-dI5mfun5fLKV6ZcdNdQN5PJ3RZtF3I7VfkN2mlfZJHtxl1agdU/TfW2L+qJ7+JPY
-cayjq2xKTLRNXOf2iV29GRRovLiqA+Dx0+cAwsScwreHMp3U4k3GkeHVoR6fldV4
-bVAM8GRl3CYVFePiqAbamKP1BSys44JOINWbWyd94JxzEAwXWz//Es0h73AzeRfK
-ueORqzdoOGrVc74+HGlAHhqO1Gg7jMMmtkzCEuav+cGHYnMRMOngGR3q47aTJTVb
-5UdP0oD4OlADPFVa6q0LCqN/IFlebWMh9pXYw7Wpek63oNuZHTfNPq4S1AUM2HJm
-C3yzaOG9VAdYfLneJC4ldY4CVt1FKckfaXp5OAaMr71DI74e4CcEswlUupZJLZKV
-TJRjQD15bnXGhHDqU4w3RmzpCWMh2mf4m4VMYQyObl3TtlX+gVvzIhDS5+mXqutB
-F1pdXwaHHkTb2PLLxpwOGrnsp8XoW74tsylcYirQg8jSFMbgxfwgIjEIuRGXeDkT
-B4QzmQ4SxsbLiH7etV6Fznl1h569Z4DO9OOs4i0ZzIjdhPDQtAs=
-=TatG
------END PGP SIGNATURE-----

add-loongarch64-support.patch

@@ -0,0 +1,29 @@
+Description: Add platform triplets for LoongArch.
+
+---
+ configure.ac |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -976,6 +976,20 @@ cat > conftest.c <<EOF
+         hppa-linux-gnu
+ # elif defined(__ia64__)
+         ia64-linux-gnu
++# elif defined(__loongarch__)
++#  if defined(__loongarch_lp64)
++#   if defined(__loongarch_soft_float)
++        loongarch64-linux-gnusf
++#   elif defined(__loongarch_single_float)
++        loongarch64-linux-gnuf32
++#   elif defined(__loongarch_double_float)
++        loongarch64-linux-gnu
++#   else
++#    error unknown platform triplet
++#   endif
++#  else
++#   error unknown platform triplet
++#  endif
+ # elif defined(__m68k__) && !defined(__mcoldfire__)
+         m68k-linux-gnu
+ # elif defined(__mips_hard_float) && defined(__mips_isa_rev) && (__mips_isa_rev >=6) && defined(_MIPSEL)

fix_configure_rst.patch

@@ -3,9 +3,11 @@
  Misc/NEWS               |    2 +-
  2 files changed, 1 insertion(+), 4 deletions(-)
 
---- a/Doc/using/configure.rst
-+++ b/Doc/using/configure.rst
-@@ -43,7 +43,6 @@ General Options
+Index: Python-3.11.14/Doc/using/configure.rst
+===================================================================
+--- Python-3.11.14.orig/Doc/using/configure.rst	2025-11-15 19:14:54.096952433 +0100
++++ Python-3.11.14/Doc/using/configure.rst	2025-11-15 19:15:04.439920979 +0100
+@@ -43,7 +43,6 @@
  
     See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
  
@@ -13,7 +15,7 @@
  .. option:: --with-cxx-main=COMPILER
  
     Compile the Python ``main()`` function and link Python executable with C++
-@@ -529,13 +528,11 @@ macOS Options
+@@ -529,13 +528,11 @@
  
  See ``Mac/README.rst``.
  
@@ -27,9 +29,11 @@
  .. option:: --enable-framework=INSTALLDIR
  
     Create a Python.framework rather than a traditional Unix install. Optional
---- a/Misc/NEWS
-+++ b/Misc/NEWS
-@@ -9774,7 +9774,7 @@ C API
+Index: Python-3.11.14/Misc/NEWS
+===================================================================
+--- Python-3.11.14.orig/Misc/NEWS	2025-11-15 19:14:54.096952433 +0100
++++ Python-3.11.14/Misc/NEWS	2025-11-15 19:15:04.445942414 +0100
+@@ -9987,7 +9987,7 @@
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name

gh139257-Support-docutils-0.22.patch

@@ -0,0 +1,36 @@
+From 19b61747df3d62c822285c488753d6fbdf91e3ac Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Tue, 23 Sep 2025 10:20:16 +0200
+Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
+
+---
+ Doc/tools/extensions/pyspecific.py |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: Python-3.11.13/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.11.13.orig/Doc/tools/extensions/pyspecific.py	2025-06-03 20:38:25.000000000 +0200
++++ Python-3.11.13/Doc/tools/extensions/pyspecific.py	2025-09-30 18:20:10.096471679 +0200
+@@ -48,11 +48,21 @@
+ SOURCE_URI = 'https://github.com/python/cpython/tree/3.11/%s'
+ 
+ # monkey-patch reST parser to disable alphabetic and roman enumerated lists
++def _disable_alphabetic_and_roman(text):
++    try:
++        # docutils >= 0.22
++        from docutils.parsers.rst.states import InvalidRomanNumeralError
++        raise InvalidRomanNumeralError(text)
++    except ImportError:
++        # docutils < 0.22
++        return None
++
++
+ from docutils.parsers.rst.states import Body
+ Body.enum.converters['loweralpha'] = \
+     Body.enum.converters['upperalpha'] = \
+     Body.enum.converters['lowerroman'] = \
+-    Body.enum.converters['upperroman'] = lambda x: None
++    Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
+ 
+ # monkey-patch the productionlist directive to allow hyphens in group names
+ # https://github.com/sphinx-doc/sphinx/issues/11854

idle3.appdata.xml

@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!-- Copyright 2017 Zbigniew Jędrzejewski-Szmek -->
-<application>
-  <id type="desktop">idle3.desktop</id>
+<component type="desktop-application">
+  <id>org.python.IDLE3</id>
+  <launchable type="desktop-id">idle3.desktop</launchable>
+
   <name>IDLE3</name>
-  <metadata_licence>CC0</metadata_licence>
-  <project_license>Python-2.0</project_license>
   <summary>Python 3 Integrated Development and Learning Environment</summary>
+
   <description>
     <p>
       IDLE is Python’s Integrated Development and Learning Environment.
-      The GUI is uniform between Windows, Unix, and Mac OS X.
+      The GUI is uniform between Windows, Unix, and macOS.
       IDLE provides an easy way to start writing, running, and debugging
       Python code.
     </p>
@@ -19,17 +19,33 @@
       It provides:
     </p>
     <ul>
-       <li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
-       <li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
-       <li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
-       <li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
+      <li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
+      <li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
+      <li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
+      <li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
     </ul>
   </description>
+
+  <developer id="org.python">
+    <name>Python Software Foundation</name>
+  </developer>
+
   <url type="homepage">https://docs.python.org/3/library/idle.html</url>
+
   <screenshots>
-    <screenshot type="default">http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</screenshot>
-    <screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</screenshot>
-    <screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</screenshot>
+    <screenshot type="default">
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</image>
+    </screenshot>
+    <screenshot>
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</image>
+    </screenshot>
+    <screenshot>
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</image>
+    </screenshot>
   </screenshots>
+
+  <project_license>Python-2.0</project_license>
+  <metadata_license>CC0-1.0</metadata_license>
   <update_contact>zbyszek@in.waw.pl</update_contact>
-</application>
+</component>
+

python-3.3.0b1-test-posix_fadvise.patch

@@ -1,17 +0,0 @@
----
- Lib/test/test_posix.py |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: Python-3.11.8/Lib/test/test_posix.py
-===================================================================
---- Python-3.11.8.orig/Lib/test/test_posix.py
-+++ Python-3.11.8/Lib/test/test_posix.py
-@@ -430,7 +430,7 @@ class PosixTester(unittest.TestCase):
-     def test_posix_fadvise(self):
-         fd = os.open(os_helper.TESTFN, os.O_RDONLY)
-         try:
--            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_WILLNEED)
-+            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_RANDOM)
-         finally:
-             os.close(fd)
- 

python311-rpmlintrc

@@ -1,3 +1,4 @@
 addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
+addFilter("python-bytecode-inconsistent-mtime.*\.pyc")

python311.changes

@@ -1,3 +1,311 @@
+-------------------------------------------------------------------
+Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
+  CVE-2025-13836) to prevent reading an HTTP response from
+  a server, if no read amount is specified, with using
+  Content-Length per default as the length.
+- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
+  behavior in node ID cache clearing (CVE-2025-12084,
+  bsc#1254997).
+- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
+  against OOM when loading malicious content (CVE-2025-13837,
+  bsc#1254401).
+
+-------------------------------------------------------------------
+Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
+  quadratic complexity vulnerabilities of os.path.expandvars()
+  (CVE-2025-6075, bsc#1252974).
+- Readjusted patches:
+  - CVE-2023-52425-libexpat-2.6.0-backport.patch
+  - CVE-2023-52425-remove-reparse_deferral-tests.patch
+  - fix_configure_rst.patch
+  - skip_if_buildbot-extend.patch
+
+-------------------------------------------------------------------
+Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.11.14:
+  - Security
+    - gh-139700: Check consistency of the zip64 end of central
+      directory record. Support records with “zip64 extensible data”
+      if there are no bytes prepended to the ZIP file
+      (CVE-2025-8291, bsc#1251305).
+    - gh-139400: xml.parsers.expat: Make sure that parent Expat
+      parsers are only garbage-collected once they are no longer
+      referenced by subparsers created by
+      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
+    - gh-135661: Fix parsing start and end tags in
+      html.parser.HTMLParser according to the HTML5 standard.
+      * Whitespaces no longer accepted between </ and the tag name. E.g.
+        </ script> does not end the script section.
+      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
+        recognized as whitespaces. The only whitespaces are \t\n\r\f and
+        space.
+      * Null character (U+0000) no longer ends the tag name.
+      * Attributes and slashes after the tag name in end tags are now
+        ignored, instead of terminating after the first > in quoted
+        attribute value. E.g. </script/foo=">"/>.
+      * Multiple slashes and whitespaces between the last attribute and
+        closing > are now ignored in both start and end tags. E.g. <a
+        foo=bar/ //>.
+      * Multiple = between attribute name and value are no longer
+        collapsed. E.g. <a foo==bar> produces attribute “foo” with value
+        “=bar”.
+    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
+      according to the HTML5 standard: ] ]> and ]] > no longer end the
+      CDATA section. Add private method _set_support_cdata() which can
+      be used to specify how to parse <[CDATA[ — as a CDATA section in
+      foreign content (SVG or MathML) or as a bogus comment in the
+      HTML namespace.
+    - gh-102555: Fix comment parsing in html.parser.HTMLParser
+      according to the HTML5 standard. --!> now ends the comment. -- >
+      no longer ends the comment. Support abnormally ended empty
+      comments <--> and <--->.
+    - gh-135462: Fix quadratic complexity in processing specially
+      crafted input in html.parser.HTMLParser. End-of-file errors are
+      now handled according to the HTML5 specs – comments and
+      declarations are automatically closed, tags are ignored.
+    - gh-118350: Fix support of escapable raw text mode (elements
+      “textarea” and “title”) in html.parser.HTMLParser.
+    - gh-86155: html.parser.HTMLParser.close() no longer loses data
+      when the <script> tag is not closed. Patch by Waylan Limberg.
+  - Library
+    - gh-139312: Upgrade bundled libexpat to 2.7.3
+    - gh-138998: Update bundled libexpat to 2.7.2
+    - gh-130577: tarfile now validates archives to ensure member
+      offsets are non-negative. (Contributed by Alexander Enrique
+      Urieles Nieto in gh-130577.)
+    - gh-135374: Update the bundled copy of setuptools to 79.0.1.
+
+- Drop upstreamed patches:
+  - CVE-2025-8194-tarfile-no-neg-offsets.patch
+  - CVE-2025-6069-quad-complex-HTMLParser.patch
+
+-------------------------------------------------------------------
+Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add gh139257-Support-docutils-0.22.patch to fix build with latest
+  docutils (>=0.22) gh#python/cpython#139257
+
+-------------------------------------------------------------------
+Fri Sep 19 14:38:03 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop AppStream buildrequires and don't run appstreamcli validate
+  as part of the build process: the appdata.xml is not updated by
+  source directly, so we have more contol. Having Appstream or the
+  deprecated appstream-glib result in a build cycle.
+
+-------------------------------------------------------------------
+Thu Sep 18 08:15:31 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Require AppStream to validate appdata file instead of deprecated
+  appstream-glib.
+- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
+
+-------------------------------------------------------------------
+Fri Aug  1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
+  validates archives to ensure member offsets are non-negative
+  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).
+
+-------------------------------------------------------------------
+Wed Jul  2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
+  case quadratic complexity when processing certain crafted
+  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
+
+-------------------------------------------------------------------
+Tue Jul  1 08:19:52 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Use one core to build doc. This will make sphinx doc build
+  reproducible.
+  bsc#1243155
+
+-------------------------------------------------------------------
+Mon Jun  9 17:19:32 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.13:
+  - Security
+    - gh-135034: Fixes multiple issues that allowed tarfile
+      extraction filters (filter="data" and filter="tar")
+      to be bypassed using crafted symlinks and hard links.
+      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
+      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
+      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
+      (gh#135034, bsc#1244061).
+    - gh-133767: Fix use-after-free in the “unicode-escape”
+      decoder with a non-“strict” error handler (CVE-2025-4516,
+      bsc#1243273).
+    - gh-128840: Short-circuit the processing of long IPv6
+      addresses early in ipaddress to prevent excessive memory
+      consumption and a minor denial-of-service.
+  - Library
+    - gh-128840: Fix parsing long IPv6 addresses with embedded
+      IPv4 address.
+    - gh-134062: ipaddress: fix collisions in __hash__() for
+      IPv4Network and IPv6Network objects.
+    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
+      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
+    - bpo-43633: Improve the textual representation of
+      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
+      in ipaddress. Patch by Oleksandr Pavliuk.
+- Remove upstreamed patches:
+  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  - CVE-2025-4516-DecodeError-handler.patch
+
+-------------------------------------------------------------------
+Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-4516-DecodeError-handler.patch fixing
+  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
+  vulnerability, which could lead to DoS.
+
+-------------------------------------------------------------------
+Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Use extended %autopatch.
+
+-------------------------------------------------------------------
+Sat May 10 11:38:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
+  since kernel 3.6-rc1)
+
+-------------------------------------------------------------------
+Fri Apr 18 14:05:38 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.12:
+  - gh-131809: Update bundled libexpat to 2.7.1
+  - gh-131261: Upgrade to libexpat 2.7.0
+  - gh-105704: When using urllib.parse.urlsplit() and
+    urllib.parse.urlparse() host parsing would not reject domain
+    names containing square brackets ([ and ]). Square brackets
+    are only valid for IPv6 and IPvFuture hosts according to RFC
+    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
+    gh#python/cpython#105704).
+  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
+    when flattening an email message using a modern email
+    policy. Previously when an encoded-word was too long for
+    a line, it would be decoded, split across lines, and
+    re-encoded. But commas and other special characters in the
+    original text could be left unencoded and unquoted. This
+    could theoretically be used to spoof header lines using a
+    carefully constructed encoded-word if the resulting rendered
+    email was transmitted or re-parsed.
+  - gh-80222: Fix bug in the folding of quoted strings
+    when flattening an email message using a modern email
+    policy. Previously when a quoted string was folded so that
+    it spanned more than one line, the surrounding quotes and
+    internal escapes would be omitted. This could theoretically
+    be used to spoof header lines using a carefully constructed
+    quoted string if the resulting rendered email was transmitted
+    or re-parsed.
+  - gh-119511: Fix a potential denial of service in the imaplib
+    module. When connecting to a malicious server, it could
+    cause an arbitrary amount of memory to be allocated. On many
+    systems this is harmless as unused virtual memory is only
+    a mapping, but if this hit a virtual address size limit
+    it could lead to a MemoryError or other process crash. On
+    unusual systems or builds where all allocated memory is
+    touched and backed by actual ram or storage it could’ve
+    consumed resources doing so until similarly crashing.
+  - gh-127257: In ssl, system call failures that OpenSSL reports
+    using ERR_LIB_SYS are now raised as OSError.
+  - gh-121277: Writers of CPython’s documentation can now use
+    next as the version for the versionchanged, versionadded,
+    deprecated directives.
+  - gh-106883: Disable GC during the _PyThread_CurrentFrames()
+    and _PyThread_CurrentExceptions() calls to avoid the
+    interpreter to deadlock.
+- Remove upstreamed patch:
+  - CVE-2025-0938-sq-brackets-domain-names.patch
+- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  which makes test_ssl not to stop ThreadedEchoServer on OSError,
+  which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
+  gh#python/cpython!126572)
+
+-------------------------------------------------------------------
+Wed Mar 12 15:05:46 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Allow to disable PGO
+
+-------------------------------------------------------------------
+Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Skip PGO with %want_reproducible_builds (bsc#1239210)
+
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
+-------------------------------------------------------------------
+Mon Jan 27 09:00:48 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Configure externally_managed with a bcond
+  https://en.opensuse.org/openSUSE:Python:Externally_managed
+  bsc#1228165
+
+-------------------------------------------------------------------
+Wed Dec  4 21:40:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.11:
+  - Tools/Demos
+    - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
+      and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
+  - Tests
+    - gh-125041: Re-enable skipped tests for zlib on the
+      s390x architecture: only skip checks of the compressed
+      bytes, which can be different between zlib’s software
+      implementation and the hardware-accelerated implementation.
+  - Security
+    - gh-126623: Upgrade libexpat to 2.6.4
+    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
+      consistently use the mapped IPv4 address value for deciding
+      properties. Properties which have their behavior fixed are
+      is_multicast, is_reserved, is_link_local, is_global, and
+      is_unspecified.
+  - Library
+    - gh-124651: Properly quote template strings in venv
+      activation scripts (bsc#1232241, CVE-2024-9287).
+- Removed upstreamed patches:
+  - CVE-2024-9287-venv_path_unquoted.patch
+
+-------------------------------------------------------------------
+Tue Dec  3 08:21:35 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add add-loongarch64-support.patch to support loongarch64
+
+-------------------------------------------------------------------
+Mon Dec  2 22:50:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
+
+- Fix changelog
+
+-------------------------------------------------------------------
+Mon Nov 11 12:43:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove -IVendor/ from python-config boo#1231795
+
+-------------------------------------------------------------------
+Fri Nov  1 16:32:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
+  path names provided when creating a virtual environment
+  (bsc#1232241, CVE-2024-9287)
+
+-------------------------------------------------------------------
+Wed Oct  2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Drop .pyc files from docdir for reproducible builds
+  (bsc#1230906).
+
 -------------------------------------------------------------------
 Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
@@ -81,6 +389,9 @@ Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
   - CVE-2024-4032-private-IP-addrs.patch
   - CVE-2024-6923-email-hdr-inject.patch
   - CVE-2024-8088-inf-loop-zipfile_Path.patch
+    (renamed from CVE-2024-8088-zipfile-Path-sanitization.patch)
+  - CVE-2024-6232-ReDOS-backtrack-tarfile.patch
+  - CVE-2024-7592-quad-complex-cookies.patch
 
 -------------------------------------------------------------------
 Mon Sep  2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -122,7 +433,7 @@ Thu Jul 18 22:37:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 Mon Jul 15 12:14:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Stop using %%defattr, it seems to be breaking proper executable
-  attributes on /usr/bin/ scripts (bsc#1227378). 
+  attributes on /usr/bin/ scripts (bsc#1227378).
 
 -------------------------------------------------------------------
 Tue Jul  2 10:32:58 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -167,6 +478,7 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 - Remove not needed upstream patches:
   * libexpat260.patch
   * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
+  * CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
 
 - Update to 3.11.9:
   * Security
@@ -336,8 +648,9 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
     - gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
     - gh-100985: Update HTTPSConnection to consistently wrap IPv6
       Addresses when using a proxy.
-    - gh-100884: email: fix misfolding of comma in address-lists over
-      multiple lines in combination with unicode encoding.
+    - gh-100884: email: fix misfolding of comma in address-lists
+      over multiple lines in combination with unicode encoding
+      (bsc#1238450 CVE-2025-1795)
     - gh-95782: Fix io.BufferedReader.tell(),
       io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
       io.BufferedRandom.tell(), io.BufferedRandom.seek() and
@@ -461,7 +774,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
 Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Remove double definition of /usr/bin/idle%%{version} in
-  %%files. 
+  %%files.
 
 -------------------------------------------------------------------
 Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -719,7 +1032,8 @@ Thu Feb  8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
       METH_FASTCALL | METH_KEYWORDS calling convention. Only the
       positional parameter count was checked; any keyword argument
       passed would be silently accepted.
-
+- Remove upstreamed patches:
+  - CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
 - Refresh all patches:
   - CVE-2023-27043-email-parsing-errors.patch
   - F00251-change-user-install-location.patch
@@ -1380,12 +1694,12 @@ Wed Sep  6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 -------------------------------------------------------------------
 Thu Aug 10 09:33:26 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- restrict PEP668 to ALP/Tumbleweed 
+- restrict PEP668 to ALP/Tumbleweed
 
 -------------------------------------------------------------------
 Fri Aug  4 06:37:41 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- add externally_managed.in to label this build as PEP-668 managed 
+- add externally_managed.in to label this build as PEP-668 managed
 
 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -2740,7 +3054,7 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
 Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
 
 - Add patch support-expat-245.patch:
-  * Support Expat >= 2.4.5 
+  * Support Expat >= 2.4.5
 
 -------------------------------------------------------------------
 Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -2930,7 +3244,7 @@ Sat Jun  5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jun  4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
-- allow build with Sphinx >= 3.x 
+- allow build with Sphinx >= 3.x
 
 -------------------------------------------------------------------
 Wed Jun  2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -3482,7 +3796,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
 Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
 
 - Last try before this results in an editwar:
-  * remove importlib_resources and importlib-metadata 
+  * remove importlib_resources and importlib-metadata
     provides/obsoletes
   * import importlib_resources is not the same as
     import importlib.resources, same for metadata
@@ -3599,54 +3913,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
 - Removed recursion.tar: contained in upstream
 - Update to 3.9.0b5:
-  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused 
+  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
     by the fix for bpo-29778 (CVE-2020-15801).
   - bpo-41162: Audit hooks are now cleared later during
     finalization to avoid missing events.
-  - bpo-29778: Ensure python3.dll is loaded from correct locations 
+  - bpo-29778: Ensure python3.dll is loaded from correct locations
     when Python is embedded (CVE-2020-15523).
-  - bpo-39603: Prevent http header injection by rejecting control 
+  - bpo-39603: Prevent http header injection by rejecting control
     characters in http.client.putrequest(…).
   - bpo-41295: Resolve a regression in CPython 3.8.4 where defining
-    “__setattr__” in a multi-inheritance setup and 
+    “__setattr__” in a multi-inheritance setup and
     calling up the hierarchy chain could fail if builtins/extension
     types were involved in the base types.
-  - bpo-41247: Always cache the running loop holder when running 
+  - bpo-41247: Always cache the running loop holder when running
     asyncio.set_running_loop.
-  - bpo-41252: Fix incorrect refcounting in 
+  - bpo-41252: Fix incorrect refcounting in
     _ssl.c’s _servername_callback().
-  - bpo-41215: Use non-NULL default values in the PEG parser 
+  - bpo-41215: Use non-NULL default values in the PEG parser
     keyword list to overcome a bug that was '
     preventing Python from being properly compiled when using the
     XLC compiler. Patch by Pablo Galindo.
-  - bpo-41218: Python 3.8.3 had a regression where compiling with 
-    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would 
+  - bpo-41218: Python 3.8.3 had a regression where compiling with
+    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
     aggressively mark list comprehension with CO_COROUTINE. Now only
     list comprehension making use of async/await will tagged as so.
-  - bpo-41175: Guard against a NULL pointer dereference within 
+  - bpo-41175: Guard against a NULL pointer dereference within
     bytearrayobject triggered by the bytearray() + bytearray() operation.
-  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s 
-    __setattr__() by calling the superclass method was 
+  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
+    __setattr__() by calling the superclass method was
     rewritten to allow C implemented heap types.
-  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the 
+  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
     C implementation raises now UnpicklingError instead of crashing.
-  - bpo-39017: Avoid infinite loop when reading specially crafted 
+  - bpo-39017: Avoid infinite loop when reading specially crafted
     TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
   - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
-  - bpo-41207: In distutils.spawn, restore expectation that 
+  - bpo-41207: In distutils.spawn, restore expectation that
     DistutilsExecError is raised when the command is not found.
   - bpo-39168: Remove the __new__ method of typing.Generic.
-  - bpo-41194: Fix a crash in the _ast module: it can no longer be 
+  - bpo-41194: Fix a crash in the _ast module: it can no longer be
     loaded more than once. It now uses a global state rather than a module state.
-  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a 
+  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
     null string.
-  - bpo-41300: Save files with non-ascii chars. 
+  - bpo-41300: Save files with non-ascii chars.
     Fix regression released in 3.9.0b4 and 3.8.4.
-  - bpo-37765: Add keywords to module name completion list. 
+  - bpo-37765: Add keywords to module name completion list.
     Rewrite Completions section of IDLE doc.
-  - bpo-40170: Revert PyType_HasFeature() change: it reads 
-    again directly the PyTypeObject.tp_flags 
-    member when the limited C API is not used, rather than always calling 
+  - bpo-40170: Revert PyType_HasFeature() change: it reads
+    again directly the PyTypeObject.tp_flags
+    member when the limited C API is not used, rather than always calling
     PyType_GetFlags() which hides implementation details.
 
 -------------------------------------------------------------------
@@ -4167,7 +4481,7 @@ Wed Jun  5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
     pickling costs between processes
   - typed_ast is merged back to CPython
   - LOAD_GLOBAL is now 40% faster
-  - pickle now uses Protocol 4 by default, improving performance 
+  - pickle now uses Protocol 4 by default, improving performance
 - Remove patches which were included in the upstream:
   - 00251-change-user-install-location.patch
   - 00316-mark-bdist_wininst-unsupported.patch
@@ -4312,7 +4626,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
 
 - Upgrade to 3.7.2rc1:
     * bugfix release, for the full list of all changes see
-      https://docs.python.org/3.7/whatsnew/changelog.html#changelog 
+      https://docs.python.org/3.7/whatsnew/changelog.html#changelog
 - Make run of the test suite more verbose
 
 -------------------------------------------------------------------
@@ -4739,7 +5053,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
 Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
 
 - Add 0001-allow-for-reproducible-builds-of-python-packages.patch
-  upstream https://github.com/python/cpython/pull/296 
+  upstream https://github.com/python/cpython/pull/296
 
 -------------------------------------------------------------------
 Wed Feb  8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -4805,7 +5119,7 @@ Mon Mar  7 20:38:11 UTC 2016 - toddrme2178@gmail.com
 
 - Add  Python-3.5.1-fix_lru_cache_copying.patch
   Fix copying the lru_cache() wrapper object.
-  Fixes deep-copying lru_cache regression, which worked on 
+  Fixes deep-copying lru_cache regression, which worked on
   previous versions of python but fails on python 3.5.
   This fixes a bunch of packages in devel:languages:python3.
   See: https://bugs.python.org/issue25447
@@ -4943,7 +5257,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
 -------------------------------------------------------------------
 Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
 
-- Only pkgconfig(x11) is required for build, not the whole 
+- Only pkgconfig(x11) is required for build, not the whole
   set of packages provided by xorg-x11-devel metapackage.
 
 -------------------------------------------------------------------
@@ -5003,7 +5317,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
 -------------------------------------------------------------------
 Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
 
-- remove blacklisting of test_posix on aarch64: qemu bug is fixed 
+- remove blacklisting of test_posix on aarch64: qemu bug is fixed
 
 -------------------------------------------------------------------
 Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -5106,7 +5420,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
 
-- build with -DOPENSSL_LOAD_CONF for the same reasons 
+- build with -DOPENSSL_LOAD_CONF for the same reasons
   described in the python2 package.
 
 -------------------------------------------------------------------
@@ -5118,7 +5432,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Thu Aug  8 14:54:49 UTC 2013 - dvaleev@suse.com
 
-- Exclue test_faulthandler from tests on powerpc due to bnc#831629 
+- Exclue test_faulthandler from tests on powerpc due to bnc#831629
 
 -------------------------------------------------------------------
 Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -5177,7 +5491,7 @@ Fri Mar  1 07:42:21 UTC 2013 - dmueller@suse.com
 
 - add ctypes-libffi-aarch64.patch:
   * import aarch64 support for libffi in _ctypes module
-- add aarch64 to the list of lib64 based archs 
+- add aarch64 to the list of lib64 based archs
 - add movetogetdents64.diff:
   * port to getdents64, as SYS_getdents is not implemented everywhere
 
@@ -5231,9 +5545,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
 -------------------------------------------------------------------
 Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
 
-- exclude test_math for SLE 11; math library fails on negative 
+- exclude test_math for SLE 11; math library fails on negative
   gamma function values close to integers and 0, probably
-  due to imprecision in -lm on SLE_11_SP2. 
+  due to imprecision in -lm on SLE_11_SP2.
 
 -------------------------------------------------------------------
 Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -5257,7 +5571,7 @@ Mon Oct  1 08:53:03 UTC 2012 - idonmez@suse.com
 -------------------------------------------------------------------
 Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
 
-- Correct dependency for python3-testsuite, 
+- Correct dependency for python3-testsuite,
   python3-tkinter -> python3-tk
 
 -------------------------------------------------------------------
@@ -5290,7 +5604,7 @@ Fri Aug  3 12:09:34 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
 
-- skip test_io on ppc 
+- skip test_io on ppc
 - drop test_io ppc patch
 
 -------------------------------------------------------------------
@@ -5339,8 +5653,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
 
-- Use system ffi, included one is broken see 
-  http://bugs.python.org/issue11729 and 
+- Use system ffi, included one is broken see
+  http://bugs.python.org/issue11729 and
   http://bugs.python.org/issue12081
 
 -------------------------------------------------------------------

python311.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python311
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,12 +36,20 @@
 %bcond_without general
 %endif
 
-%if 0%{?do_profiling}
+%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
 %bcond_without profileopt
 %else
 %bcond_with profileopt
 %endif
 
+# Only for Tumbleweed
+# https://en.opensuse.org/openSUSE:Python:Externally_managed
+%if 0%{?suse_version} > 1600
+%bcond_without externally_managed
+%else
+%bcond_with externally_managed
+%endif
+
 %define         python_pkg_name python311
 %if "%{python_pkg_name}" == "%{primary_python}"
 %define primary_interpreter 1
@@ -98,15 +106,14 @@
 # pyexpat.cpython-35m-armv7-linux-gnueabihf
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
-%bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.10
+Version:        3.11.14
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
-Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
+Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source4:        externally_managed.in
@@ -145,8 +152,6 @@ Patch03:        distutils-reproducible-compile.patch
 Patch04:        python-3.3.0b1-localpath.patch
 # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
 Patch05:        python-3.3.0b1-fix_date_time_compiler.patch
-# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
-Patch06:        python-3.3.0b1-test-posix_fadvise.patch
 # Raise timeout value for test_subprocess
 Patch07:        subprocess-raise-timeout.patch
 # PATCH-FEATURE-UPSTREAM bpo-31046_ensurepip_honours_prefix.patch bpo#31046 mcepl@suse.com
@@ -179,8 +184,25 @@ Patch19:        bso1227999-reproducible-builds.patch
 # PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
 # Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
 Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
+# PATCH-FIX-UPSTREAM Add platform triplets for 64-bit LoongArch gh#python/cpython#30939 glaubitz@suse.com
+Patch24:        add-loongarch64-support.patch
+# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
+Patch25:        gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
+# Avoid potential quadratic complexity vulnerabilities in path modules
+Patch26:        CVE-2025-6075-expandvars-perf-degrad.patch
+# PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com
+# Avoid loading possibly compromised length of HTTP response
+Patch27:        CVE-2025-13836-http-resp-cont-len.patch
+# PATCH-FIX-UPSTREAM CVE-2025-12084-minidom-quad-search.patch bsc#1254997 mcepl@suse.com
+# prevent quadratic behavior in node ID cache clearing 
+Patch28:        CVE-2025-12084-minidom-quad-search.patch
+# PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com
+# protect against OOM when loading malicious content
+Patch29:        CVE-2025-13837-plistlib-mailicious-length.patch 
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
+BuildRequires:  crypto-policies-scripts
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
 BuildRequires:  lzma-devel
@@ -212,8 +234,6 @@ BuildRequires:  python3-python-docs-theme >= 2022.1
 %endif
 %endif
 %if %{with general}
-# required for idle3 (.desktop and .appdata.xml files)
-BuildRequires:  appstream-glib
 BuildRequires:  gcc-c++
 BuildRequires:  gdbm-devel
 BuildRequires:  gettext
@@ -421,26 +441,11 @@ other applications.
 %prep
 %setup -q -n %{tarname}
 
-%patch -p1 -P 02
-%patch -p1 -P 03
-%patch -p1 -P 04
-%patch -p1 -P 05
-%patch -p1 -P 06
-%patch -p1 -P 07
-%patch -p1 -P 08
-
+%autopatch -p1 -M 08
 %if 0%{?suse_version} <= 1500
 %patch -P 09 -p1
 %endif
-
-%patch -p1 -P 10
-%patch -p1 -P 11
-%patch -p1 -P 13
-%patch -p1 -P 15
-%patch -p1 -P 16
-%patch -p1 -P 17
-%patch -p1 -P 19
-%patch -p1 -P 22
+%autopatch -p1 -m 10
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -485,7 +490,7 @@ TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`
 
 cd Doc
 sed -i "s/^today = .*/today = '$TODAY_DATE'/" conf.py
-%make_build -j1 html
+%make_build -j1 JOBS=1 html
 
 # Build also devhelp files
 sphinx-build -a -b devhelp . build/devhelp
@@ -686,7 +691,6 @@ install -m 644 -D -t %{buildroot}%{_datadir}/applications idle%{python_version}.
 cp %{SOURCE20} idle%{python_version}.appdata.xml
 sed -i -e 's:idle3.desktop:idle%{python_version}.desktop:g' idle%{python_version}.appdata.xml
 install -m 644 -D -t %{buildroot}%{_datadir}/metainfo idle%{python_version}.appdata.xml
-appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/idle%{python_version}.appdata.xml
 
 %fdupes %{buildroot}/%{_libdir}/python%{python_version}
 %endif
@@ -723,7 +727,7 @@ rm %{buildroot}%{_libdir}/libpython3.so
 rm %{buildroot}%{_libdir}/pkgconfig/{python3,python3-embed}.pc
 %endif
 
-%if %{suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668 mark this as a distro maintained python
 sed -e 's,__PYTHONPREFIX__,%{python_pkg_name},' -e 's,__PYTHON__,python%{python_version},' < %{SOURCE4} > %{buildroot}%{sitedir}/EXTERNALLY-MANAGED
 %endif
@@ -764,6 +768,9 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
 # install devel files to /config
 #cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%%{sitedir}/config-%%{python_abi}/
 
+# Remove -IVendor/ from python-config boo#1231795
+sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
+
 # RPM macros
 %if %{primary_interpreter}
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@@ -792,6 +799,11 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
 echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
 %endif
 
+# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
+if [ -d %{buildroot}%{_defaultdocdir} ] ; then
+find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
+fi
+
 %if %{with general}
 %files -n %{python_pkg_name}-tk
 %{sitedir}/tkinter
@@ -911,7 +923,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %{_mandir}/man1/python3.1%{?ext_man}
 %endif
 %{_mandir}/man1/python%{python_version}.1%{?ext_man}
-%if 0%{?suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668
 %{sitedir}/EXTERNALLY-MANAGED
 %endif

skip_if_buildbot-extend.patch

@@ -2,9 +2,11 @@
  Lib/test/support/__init__.py |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
+Index: Python-3.11.14/Lib/test/support/__init__.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/support/__init__.py	2025-11-15 19:14:54.049952478 +0100
++++ Python-3.11.14/Lib/test/support/__init__.py	2025-11-15 19:15:08.449938538 +0100
+@@ -394,7 +394,7 @@
      if not reason:
          reason = 'not suitable for buildbots'
      try: